Date: Fri, 08 May 2026 15:35:39 +0000 From: Alexander Ziaee <ziaee@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 89d217ad06ea - main - sysutils/firstboot-pkg-upgrade: New port Message-ID: <69fe02cb.319b4.3f9332eb@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by ziaee: URL: https://cgit.FreeBSD.org/ports/commit/?id=89d217ad06ead7f1138121ca2aa30099bba23165 commit 89d217ad06ead7f1138121ca2aa30099bba23165 Author: Alexander Ziaee <ziaee@FreeBSD.org> AuthorDate: 2026-04-13 19:30:04 +0000 Commit: Alexander Ziaee <ziaee@FreeBSD.org> CommitDate: 2026-05-08 15:35:12 +0000 sysutils/firstboot-pkg-upgrade: New port Introduce an rc.d service to upgrade all packages on first boot, ensuring cloud images are deployed with no known vulnerabilities. By default, it will patch everything from all enabled repos, and record this in syslog. It accepts an optional additional line that specifies a list of space-separated specific repos to limit the upgrade to. Note specifying bogus repos results in the upgrade aborting, it will log This and will not try to not run again. MFH: 2026Q2 Sponsored by: Amazon Sponsored by: Google Cloud Sponsored by: OVHcloud Reviewed by: bapt, cperciva Discussed with: bapt, cperciva, delphij, lwhsu Differential Revision: https://reviews.freebsd.org/D56381 --- sysutils/firstboot-pkg-upgrade/Makefile | 20 +++++++ .../files/firstboot_pkg_upgrade.in | 62 ++++++++++++++++++++++ sysutils/firstboot-pkg-upgrade/pkg-descr | 6 +++ 3 files changed, 88 insertions(+) diff --git a/sysutils/firstboot-pkg-upgrade/Makefile b/sysutils/firstboot-pkg-upgrade/Makefile new file mode 100644 index 000000000000..eb57aefd20dc --- /dev/null +++ b/sysutils/firstboot-pkg-upgrade/Makefile @@ -0,0 +1,20 @@ +PORTNAME= firstboot-pkg-upgrade +PORTVERSION= 1.0 +CATEGORIES= sysutils +MASTER_SITES= # none +DISTFILES= # none +EXTRACT_ONLY= # none + +MAINTAINER= ziaee@FreeBSD.org +COMMENT= Update the system using pkg when it first boots + +LICENSE= BSD2CLAUSE + +NO_WRKSUBDIR= yes +NO_BUILD= yes +NO_INSTALL= yes +NO_ARCH= yes + +USE_RC_SUBR= firstboot_pkg_upgrade + +.include <bsd.port.mk> diff --git a/sysutils/firstboot-pkg-upgrade/files/firstboot_pkg_upgrade.in b/sysutils/firstboot-pkg-upgrade/files/firstboot_pkg_upgrade.in new file mode 100644 index 000000000000..f63e4b7ad42d --- /dev/null +++ b/sysutils/firstboot-pkg-upgrade/files/firstboot_pkg_upgrade.in @@ -0,0 +1,62 @@ +#!/bin/sh + +# KEYWORD: firstboot +# PROVIDE: firstboot_pkg_upgrade +# REQUIRE: syslogd NETWORKING +# BEFORE: LOGIN + +# Add the following lines to /etc/rc.conf.local or /etc/rc.conf (in the +# disk image, since this only runs on the first boot) to enable this: +# +# firstboot_pkg_upgrade_enable="YES" +# +# By default this upgrades all packages, to limit this to a specific +# repo, write it in firstboot_pkg_upgrade_repos, e.g., +# +# firstboot_pkg_upgrade_repos="FreeBSD-base FreeBSD-ports" +# +# Note that release engineering only provides base system updates for +# *BETA*, *RC*, and *RELEASE* systems. + +. /etc/rc.subr + +: ${firstboot_pkg_upgrade_enable:="NO"} + +name="firstboot_pkg_upgrade" +rcvar=firstboot_pkg_upgrade_enable +start_cmd="firstboot_pkg_upgrade_run | logger -s -t pkg" +stop_cmd=":" + +firstboot_pkg_upgrade_run() +{ + pkg -N > /dev/null 2>&1 || pkg bootstrap -y + pkg update + + state_orig=`pkg info | sha256` + repo_args="" + + for repo in ${firstboot_pkg_upgrade_repos}; do + repo_args="${repo_args} -r ${repo}" + done + + env AUTOCLEAN=ON pkg upgrade ${repo_args} -y + + state_new=`pkg info | sha256` + + case "`uname -r`" in + *-BETA* | *-RC* | *-RELEASE*) + if [ $state_orig != $state_new ]; then + echo "Requesting reboot after installing updates." + touch ${firstboot_sentinel}-reboot + else + return 0 + ;; + *) + return 0 + ;; + esac +} + +load_rc_config $name +run_rc_command "$1" + diff --git a/sysutils/firstboot-pkg-upgrade/pkg-descr b/sysutils/firstboot-pkg-upgrade/pkg-descr new file mode 100644 index 000000000000..bb480adb5e86 --- /dev/null +++ b/sysutils/firstboot-pkg-upgrade/pkg-descr @@ -0,0 +1,6 @@ +Run 'pkg upgrade' when the system first boots to check for any software +updates, apply them, and request a reboot. + +Obviously, this port is not useful after a system is already running; it is +intended to be included as part of the installation or disk image building +process.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69fe02cb.319b4.3f9332eb>